Posts Tagged ‘oil and gas’

Tuesday, December 2, 2014 @ 02:12 PM gHale

Iran is targeting at least 50 companies and government organizations, including critical infrastructure, a new report said.

While the attacker had targets in quite a few different countries, in the U.S., computers belonging to chemical and energy companies, defense contractors, universities and transportation providers ended up hacked in what security firm Cylance called Operation Cleaver. The report said the Iranian group is the same one that breached the U.S. Navy’s unclassified computer system in September 2013.

Iran, once the victim of the Stuxnet attack on its nuclear enrichment facility in Natanz in 2010, increased its capabilities to the point where the country is a top-tier cyber power, according to the report which is the culmination of a two-year investigation. While the group Cylance followed remained focused on intelligence gathering, the choice of targets raises security fears, the report said. ISSSource reported the Stuxnet attack was a joint U.S.-Israel operation.

Cylance believes Operation Cleaver involves at least 20 hackers and the report outlines specialized tools the attackers used, including a botnet controlled by the hackers to process information or mount attacks.

“If the operation is left to continue unabated, it is only a matter of time before they impact the world’s physical safety,” the report said.

Cylance said it provided the information it collected to the U.S. Federal Bureau of Investigation. The FBI is already looking into Iranian hacking, including the Navy breach.

In one published report, Hamid Babaei, the spokesman for the Iranian mission to the United Nations in New York, denounced the report. “This is a baseless and unfounded allegation fabricated to tarnish the Iranian government image particularly aimed at hampering current nuclear talks,” Babaei said.

Cylance’s 86-page report gives a detailed evaluation of Iran’s cyber-espionage capabilities. The company drew on more than 80,000 files of stolen data and hacking tools Cylance said it obtained from computers used by the hackers since at least 2012.

From that trove, the company’s analysts peeled back what they said was a sweeping spying operation that focused on the U.S. and Iran’s Persian Gulf rivals, as well as on Germany, China, England and Israel.

“Compromised systems include Microsoft Windows web servers running IIS and ColdFusion, Apache with PHP, many variants of Microsoft Windows desktops and servers, and Linux servers. Compromised network infrastructure included Cisco VPNs as well as Cisco switches and routers,” the report said. “Unlike Stuxnet, no exotic exploitations (such as 0-days) were observed.”

“Within our investigation, we had no direct evidence of a successful compromise of specific Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) networks, but Cleaver did exfiltrate extremely sensitive data from many critical infrastructure companies allowing them to directly affect the systems they run. This data could enable them, or affiliated organizations, to target and potentially sabotage ICS and SCADA environments with ease,” the report said.

Universities and their financial aid and housing offices ended up targeted, suggesting the spies were interested in students, perhaps as potential recruits, the report said.

Companies cited in the Cylance report provide a map of intelligence priorities.

In addition, the report said the attackers stole passport photos, employee credentials and data that could end up used to impersonate workers and bypass airport security checkpoints.

Cylance said its researchers took advantage of hackers’ mistakes to access some computers they used to organize their attacks, revealing dozens of targets and a large cache of stolen files. Cylance said the documents it obtained open only a modest window onto the group’s operations and the total number of targets is likely larger.

SIMATIC WinCC monitors and controls physical processes involved in industry and infrastructure, and sees action in industries such as oil and gas, chemical, food and beverage, water and wastewater.

PCS 7 is a distributed control system (DCS) integrating SIMATIC WinCC, and TIA Portal is the company’s engineering software used for SIMATIC products.

The first vulnerability (CVE-2014-8551) within WinCC is critical, with a CVSS Base Score of 10.0. The flaw could allow remote code execution for unauthenticated users if specially crafted packets end up sent to the WinCC server, according to the security advisory from Siemens ProductCERT.

The second vulnerability (CVE-2014-8552), also a component within WinCC, could allow an unauthenticated attacker to extract arbitrary files from the WinCC server by sending specially crafted packets to the server. However, in order to exploit this flaw, the attacker must have network access to the affected system, Siemens said.

Tuesday, September 23, 2014 @ 09:09 PM gHale

By Gregory Hale
Oil and gas continues to be a hotbed of activity when it comes to automation and that also means security is top of mind.

When it comes to designing a network diagram for any kind of oil and gas environment, everyone has to understand the main assets that need protection and they need a clear understanding of what they need to secure.

“In one greenfield offshore platform, control systems engineers developed a diagram and IT came in to design security and they found the PLCs were the critical assets,” said Scott Howard, commercial engineer at Belden Inc. during his talk Tuesday on security applications in the oil and gas market at the 2014 Industrial Ethernet Infrastructure Design Seminar, Houston, TX.

They also found that PCs were threats along with networks the control engineers could not control, and that included the business system. “The first rule in security is to not trust anything you can’t control,” Howard said.

After they made their first draft at a network diagram for the platform network, Howard said they went and analyzed the system. They then created zones for the critical assets. Zones for the junction boxes, the switch gear, subsea cabinets, the PLC cabinet and the enterprise network.

They also found they had an I/O server that was a shared asset between the enterprise and the control network, so they had to create a demilitarized zone (DMZ), which allows access to a shared network using a multiport device.

After they created the zones which segmented the critical assets and created the DMZ, the network diagram became more understandable and more secure.

Another example Howard talked about was a refinery which was running a parallel network.

“We did a risk assessment and looked at zones and conduits and we did a risk analysis and looked at the threats,” Howard said. “This was a very complex plant.”

Part of a defense in depth model calls for segmentation via zones and conduits which is part of the IEC 62443 standard. This model helps lock down a network. Using this model, a user should only allow minimum required traffic into zones and when threats do come through alarms sound, Howard said.

A conduit is a pathway of communications that exits and enters a zone. A zone is a specialized area on the network that needs protection.

The threats they understood for the refinery were a release of hazardous products, a process reactivity incident and a process shutdown.

They then created a chart that looked at the vulnerability, then the possible threat source, skill levels, potential consequence, severity, likelihood and the risk.

When they looked at the process shut down they found an interesting development.

“No one ever considered the safety system to be a security threat,” Howard said. “That ended up being a surprise. The safety system was so critical it needed its own zone separate from the control system zone.”

By creating a solid zones and conduits model, they were able to get a solid segmented security program up and running for the refinery.

“We could protect the entire plant with 14 (Tofino firewalls). We could do that entire refinery for less than $200,000,” Howard said.

One of the final project Howard discussed was a pipeline installation in Alaska. Again, they found through a security diagram, the PLC was the critical asset. “This guy has to keep working no matter what,” he said.

One of the other issues they had was with a business scenario. Pipeline owners buy and sell oil as it enters the pipeline and as it exits at the refinery. To ensure the proper amount of oil ends up bought and sold, operators will use a flow meter to measure the amount of oil in the pipeline.

Because the flow meter connected to the system it ended up being a vulnerable asset. In this case, Howard said, a partner called one day to tell the operator it appeared the PLC they were using was not operating properly.

It ended up being the flow meter had a connection to the network and the partner was able to look at the data from the PLC.

“The next day a firewall was put in there to not allow visibility to the network,” Howard said. The flow meter, he said, ended up being a shared resource and they put in a DMZ around that device.

Oil and gas are no different than any other industry, it is all about knowing and understanding your network.

Wednesday, July 30, 2014 @ 12:07 PM gHale

Oil and gas companies are now able to enhance worker training and demonstrate technical concepts and techniques via stronger 3D animation and imagery.

Part creative content provider and part technologist, FuelFX, a media and software company almost exclusively focused on the oil and gas industry, creates content for marketing and training departments and for the operational side of oil and gas companies to help in those processes.

Cutting-edge 3D and visualization technology can allow companies to be more efficient in training workers, as well as improve efficiency and operational safety.

Founded seven years ago, the company really grew following the 2010 Deepwater Horizon incident, when FuelFX worked with BP plc and other members of the Unified Command by producing daily infographics and visualizations to update the Unified Command team, the White House and U.S. public on the efforts, operational plans and challenges involved in the Deepwater Horizon incident response. Other team members included Transocean, the U.S. Coast Guard, U.S. Department of the Interior, the U.S. Environmental Protection Agency and the Occupational Safety and Health Administration.

3D imaging is not a new thing, but the next thing, representing a step change in communications.

The need for using new visualization tools stems from the fact most of the time the magic in the oil and gas industry happens with things that you can’t see or that are 5,000 feet underground, or encased in steel or in high pressure, high temperature environments.

These effects allow companies to sell, understand, and learn how to operate technology, as well as provide business intelligence on the operations side, said FuelFX Chief Executive Oliver Diaz. 3D graphics can range from low-end graphics, such as process diagrams and infographics, to 3D animation in video to interactive media tools such as virtual and augmented reality.

Virtual reality, also called immersive multimedia, is a computer-simulated environment that can simulate a person’s physical presence in places in real or imagined worlds. Efforts to develop virtual reality tools have been ongoing since the 1980s; it has only been in recent times the technology is now affordable to a wider audience. One example of virtual reality technology is Oculus VR, a virtual reality startup purchased by Facebook for $2 billion. The company offers the Oculus Rift, is a virtual reality headset system initially developed for gaming.

The oil and gas industry is using virtual reality to train workers for offshore and onshore rig environments, virtually placing a worker on a rig so they can learn to navigate and learn about different operations on board the rig.

While virtual reality replaces the real world with a simulated environment, augmented reality takes digital information and visuals and puts it in the space around a person.

“Augmented reality works by augmenting reality with information,” Diaz said.

In the oil and gas industry, augmented reality technology can allow oil and gas companies to see inside equipment at a refinery to monitor temperature and supply levels, said Diaz. Augmented reality hardware components can go in mobile devices like tablet computers and smart phones and in monitors and display systems worn by a user. Google Glass augmented reality glasses are one example of this technology. Augmented reality applications can integrate printed material with video, in education, industrial design, gaming, medical, navigation and communication in the military.

The idea comes to life because 3D graphics and imaging technology is to better impart knowledge in training in a way that allows workers to retain more information, allowing people to understand where technology can fit into their operations.

“It’s about changing people’s experience and situational awareness at work,” Diaz said. “Basically, it’s about communicating, training and imparting knowledge with the solutions.”

Some makes of cars allow a driver to view an app to locate a part and determine what’s wrong with a car, rather than flipping open a manual.

“Imagine what can be done for an offshore facility where there’s tons of equipment,” said Diaz of the potential for augmented reality on offshore rigs.

Virtual reality tools in oil and gas could help in training and to recreate an incident to determine its cause. By merging the digital and real worlds, augmented reality technology could allow workers on offshore and onshore rigs and other facilities to get directions on how to operate equipment.

The retirement of Baby Boomer-aged workers, the large age gap between Baby Boomers and younger workers, and the number of workers changing jobs within the industry, makes knowledge retention difficult. Using completely immersive tools such as augmented reality can enable knowledge transfer.

Friday, July 11, 2014 @ 04:07 PM gHale

If this doesn’t convince all that security is necessary, then nothing will: Almost 70 percent of companies surveyed responsible for the world’s power, water and other critical functions have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past year.

Of the 599 security executives at utility, oil and gas, energy and manufacturing companies, 64 percent of respondents anticipated one or more serious attacks in the coming year, according to the report conducted by Unisys and the Ponemon Institute. Despite this risk, only 28 percent ranked security as one of the top five strategic priorities for their organization. Flying in the face of one of the major reasons to users should implement security, a majority of those surveyed said their top business priority is minimizing downtime.

“The findings of the survey are startling, given that these industries form the backbone of the global economy and cannot afford a disruption,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “While the desire for security protection is apparent among these companies, not nearly enough is actually being done to secure our critical infrastructure against attacks.”

Only one in six respondents describe their organization’s IT security program or activities as mature. Respondents who reported suffering a data breach within the past year most often attributed these breaches to an internal accident or mistake, and negligent insiders were the most cited threat to company security. Despite these findings, only six percent of respondents said they provide cybersecurity training for all employees.

“Whether malicious or accidental, threats from the inside are just as real and devastating as those coming from the outside,” said Dave Frymier, chief information security officer at Unisys. “We hope the survey results serve as a wake-up call to critical infrastructure providers to take a much more proactive, holistic approach to securing their IT systems against attacks. Action should be taken before an incident occurs, not just after a breach.”

The survey also highlighted the concerns many of these executives feel regarding the security of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, which monitor and control the processes and operations for power generation and other critical infrastructure functions.

When asked about the likelihood of an attack on their organizations’ ICS or SCADA systems, 78 percent of the senior security officials responded that a successful attack is at least somewhat likely within the next 24 months. Just 21 percent of respondents thought that the risk level to ICS and SCADA has substantially decreased because of regulations and industry-based security standards, which appears to mean tighter controls and better adoption of standards, along with vigilance, are ingredients to the recipe for success.

The firm, which provides services and equipment for the oil and gas, mining, nuclear and renewable energy sectors, said the acquisition would also add oil and gas transport and refining capabilities to its existing extraction facilities.

Larger European contractors have been looking for acquisitions which they believe would help them expand into new regions such as Africa and newer areas such as liquefied natural gas (LNG) and shale.

Amec expects a 10 percent boost in earnings in the first 12 months after the acquisition, with returns on its investment to exceed the cost of capital in the second year.

It said the deal would also create annual cost savings of at least $75 million.

Foster Wheeler provides engineering services and power generator equipment to the LNG, oil and gas and petrochemical sectors.

Foster Wheeler will hold shares in Amec after the deal’s completion representing 23 percent of the enlarged company, and Amec will seek a U.S. listing in connection with the transaction, the companies said.

Tuesday, November 5, 2013 @ 11:11 AM gHale

By Gregory Hale
The manufacturing automation industry has to take cyber security more seriously than it currently does.

“I really hope it doesn’t take a major incident to have the industry take security more seriously than it currently does,” said Darius Adamczyk, president and chief executive at Honeywell Process Solutions during his keynote address today at the EMEA Honeywell User Group (HUG) in Nice, France. “I hope this doesn’t happen to me is not a viable defense.”

The idea the industry is aware they need to understand cyber security, but doesn’t know where to start is not surprising – and believe it or not it is a sign of moving forward. It is a slow movement, but it is movement nonetheless.

How serious is the problem?

Adamczyk quoted Former Homeland Security Department Director Michael Chertoff, who spoke at an executive summit Honeywell conducted last month, saying “The single biggest threat we face is not terrorist activity, it is cyber security.”

“Cyber security is one of the most interesting areas and one we don’t take seriously enough,” he said.

Adamczyk also talked about how security can be a safety issue also.

“Safety is the single most important thing we do, whether providing safety for the process or preventing intruders on the site, cyber security is another part of safety.”

Adamczyk also talked about other initiatives and industry trends in the industry.

In terms of energy production, he said we are going through transformational times.

There has been a spike in production in the U.S. with unconventional energy. In addition, he said the North Sea is declining in production, but with some new innovations he said there could be a rebound.

In terms of regions producing energy, he said Western Europe closed 14 refineries since 2008. He said the former Soviet Union saw an increase in capacity. Middle East saw a substantial increase in capacity and national oil companies are getting more aggressive in investments. “There has been quite a change in who is making the investments.”

Mining is going through a rough time and the main reason for that is the slowdown in China. Pulp and paper, he said, has some interesting developments going on with negative growth rates predicted for North America, Western Europe and Japan, but positive growth rates in India and China.

Safety, just looking at some UK numbers which Adamczyk said is a good indicator, “safety is improving; fatalities have dropped. That is the good news. The bad news is safety has plateaued and that is a troubling trend.”

When talking about safety, the number one cause of safety incidents is operator error, Adamczyk said. That is where training and simulation programs come into play.

“It is paramount to us to provide a safe work environment,” he said.

There is one fundamental difference between safety and security and that is users can place a safety system in and know it will be working over a period of time. Yes, there has to be maintenance, but the system will be in and running. Security, though, is a very dynamic environment.

“Cyber threats change daily, monthly, and yearly,” Adamczyk said. “If you think you can put something in and you will be safe, think again.”

Thursday, August 8, 2013 @ 06:08 PM gHale

The threat toxic and combustible gases pose to the safety of plant personnel and nearby communities continues to draw intense attention.

Several catastrophic accidents, such as the Pike River mine explosion in New Zealand, have given industrial safety more prominence in the public consciousness and spurred demand for safety systems and safety instrumentation like toxic and combustible gas detectors.

The Pike River Mine disaster was a November 19, 2010 coal mining accident that began on November 2010 in the West Coast Region of New Zealand’s South Island. An explosion occurred in the mine at approximately 3:44 p.m. At the time of the explosion 31 miners and contractors were in the mine. Two miners managed to walk away, treated for injuries. The remaining 16 miners and 13 contractors, were around 5,000 feet from the mine’s entrance.

Following a second explosion on November 24 at 2:37 p.m., police believed the 29 remaining men died. Police Superintendent Gary Knowles, officer in command of the rescue operation (Operation Pike) said he believed that “based on that explosion, no one survived.” A third explosion occurred at 3:39 p.m. on November 26, and a fourth explosion occurred just before 2 p.m. on November 28.

Compliance with increasingly tough safety regulations will remain a major factor driving investment in safety systems and toxic gas detectors among oil and gas, refining, petrochemical and mining customers.

With that in mind, the worldwide market for toxic and combustible gas detectors will continue to grow next year according to a new ARC Advisory Group study.

“Protection of human lives and plant assets is critical to all organizations and that is why, even though the economic recovery has slowed down in recent years, we still expect the gas detection market to grow,” said ARC Advisory Group Analyst Inderpreet Shoker, the principal author of ARC’s “Toxic and Combustible Gas Detector Global Market Research Study.”

The toxic and combustible gas detectors market consists of hundreds of companies, with small niche suppliers and those with more product lines, systems, and strong service capabilities. However, going forward ARC sees a strong trend toward consolidation.

Large suppliers are acquiring small manufacturers to increase their market share. Acquisition helps them to expand product lines and foray into new markets by acquiring new technologies. The market is also observing new entrants through acquisitions.

Hyperspectral and infrared cameras are among the newer technologies gaining wider acceptance in recent times. These cameras can visualize various toxic and combustible gases to produce a picture of the scanned area in real-time. Well suited for detection of various types of volatile organic compounds (VOCs), these cameras are becoming an attractive option for industries such as chemical and water & wastewater.

With China and India as the growth engines, Asia represents the greatest opportunity for greenfield projects for gas detector suppliers.

However, in these developing markets enforcement of regulations sometimes slides. As a result, users tend to be less concerned about reliability than about cost. With safety issues becoming a major point of concern for the governments of these countries, ARC sees this trend changing in future. Quite a few developing countries are taking measures to improve the implementation to address rising safety issues. As a result, end users in these regions have started to overlook the cost and pay more importance to reliability and performance of the detectors.

The company has spent about $11 billion in acquisitions since 2007 to boost its presence in the oil and gas business, which is the conglomerate’s fastest-growing. That sector contributes about 10 percent of GE’s total revenue.

The leak last March had been due to corrosion stress cracking caused by a reaction between grease on the threads of the well casing and bromine used in the fluid inside the well, said Patrice de Vivies, the company’s senior vice president for exploration and production for northern Europe.

In addition, a gas layer called Hod, which was 1,000 meters or about 3,300 feet above the Fulmar gas layer tapped by the well, unexpectedly began producing oil and gas, possibly because production of the lower layer affected it. He called this set of circumstances “unique.”

“It is impossible to forecast this type of incident,” de Vivies said.

Total evacuated 238 workers from the Elgin platform, about 240 kilometers or about 150 miles from Aberdeen in Scotland, after they found the leak. The platform serves a complex of fields. There was a danger the gas could catch fire, leading to a catastrophic incident. The well, known as G4, ended up plugged about two months later. The incident caused no injuries.

At the time of the shutdown, Elgin-Franklin was producing the equivalent of 140,000 barrels of oil per day in gas and liquids, making it a very large field.

de Vivies said the company had submitted plans late last year for restarting the field and it expected British authorities to accept them shortly. The company then plans to bring the field back online gradually, starting with four wells compared to 14 at the time of the incident. He said he expected production by year-end to be 70,000 barrels per day, or half of what it was at the time of the leak. By 2016, the company’s should take production levels above 140,000 barrels per day, he said.

Total had learned lessons from the leak in a field in which the gas is under high pressure and high temperature, and that the company would be more conservative about how it operated in the future, de Vivies said. He also said Total would share its findings with other companies to avoid a repeat of this type of incident.